MacMegasite Archive
   


To reduce the database size and server load, all articles from 2004 or earlier are archived here.


Return to MacMegasite



       

Wed, 25 Sep 2002

Microsoft Internet Explorer X 5.2.2

Microsoft has released security updates to Internet Explorer for Mac OS X and classic Mac OS.

Internet Explorer X 5.2.2 and 5.1.6 Classic resolve all known security vulnerabilities in previous versions of IE, including the one described in security bulletin MS02-050.



For more information & to download these updates, visit:


[] permanent link

Chimera 0.5

I haven't looked at Chimera for a while, but after getting annoyed at the slowness of Mozilla, bugs in IE, and problems with some sites in OmniWeb, I decided to try it again.

When I downloaded Chimera 0.5, I was pleasantly surprised by how far it came since the last version I tried. Although it's still not finished, it's actually a very usable browser. If you haven't tried it recently, take another look - you'll be pleasantly surprised.



Chimera 0.5 is one of the fastest browsers I've seen in OS X. It doesn't feel bloated like Mozilla and has a nice Aqua appearance. It rendered every site I've tried perfectly and hasn't had any problems with scripts (notably mail.com which gives a "javascript not enabled" error in OmniWeb even though I do have it enabled). It also works properly with the Ensim & Plesk control panels I use to administer this server, which won't work in OmniWeb.



For more information or to download the latest version, visit http://www.mozilla.org/projects/chimera/.

[] permanent link

Jaguar Open Source Update

The Darwin team has announced three major Open Source updates based on Mac OS X v10.2 "Jaguar": a Darwin 6.0.1 operating system release, several new Open Directory Plug-ins, and the first Open Source release of Rendezvous source code.

These releases underscore Apple's commitment to distributing core protocols in a manner compatible with true Open Source practices. For more information, please visit http://developer.apple.com/darwin.



The Darwin 6.0.1 kernel, which corresponds to Mac OS X v10.2 (Jaguar), features many enhancements from FreeBSD 4.4 and the KAME IPv6/IPsec code, and is one of the first Open Source operating system releases to be built using GCC 3.1. Darwin 6.0.1 features improved support for POSIX threads and adds several reentrant C library functions, as well as numerous new and updated libraries including ncurses, bzip, and SASL. Darwin now uses bash as the default /bin/sh, and adds python and ruby as scripting languages

[] permanent link

Terminal tip - cdpath

If you use the terminal a lot, the cdpath variable can make it much easier to navigate your file system.



The shell's cdpath environment variable lists directories that are always checked when you change directory with the cd command no matter what your current directory is. If you add a directory to cdpath, you can easily cd to any subdirectory if it without specifying a full path name no matter where you are.



To set cdpath, add a line like the following to either .cshrc or .tcshrc in your home directory:



set cdpath = (. .. ~ /Volumes ~/Documents )





In this case, it means you can go to any subdirectory of the current directory (.), the parent directory (..), your home directory (~), any mounted volume, or any subdirectory of your documents folder without having to specify a full pathname.



For example, if you insert a zip disk named 'Zip100' instead of having to type 'cd /Volumes/Zip100' you can simply type 'cd Zip100'.

[] permanent link

Powerbacks∆ Slide Alchemy gains visibility with major retailers

Powerbacks∆ Slide Alchemy from Blue Worx, a specialty collection of backgrounds for PowerPoint∆ and other presentation programs, begins to establish itself with major retailers and catalogs.



OfficeMax∆ and Staples∆, hallmarks in the office supply industry, are both now selling the niche collection in their on-line software stores. Powerbacks∆ comes as both downloadable and CD-ROM media and in duplicate .ppt and .jpg files. The 2,000 images are 1024x768 pixels and average 150K in file size. They are divided into three style categories: templates, sets and artistic. Keyword: powerbacks









Softchoice∆ a company that provides North American businesses and organizations of all sizes with software and hardware resources, has also picked-up the unique product. They manage the software and licensing requirements for millions of computers across Canada and the United States. They employ approximately 150 highly trained outbound sales representatives in 32 regional sales offices located in most major North American cities. In addition to having a comprehensive on-line e-commerce site they also produce three print catalogs annually.









Trainer's Warehouse∆ is a resource of products for presenters recognized around the world. Known as an innovative supplier that develops and markets quality products designed to help presenters of all kinds, they are now also featuring Powerbacks∆ Slide Alchemy. The company is located in Natick, Mass and they now carry the innovative collection in both their on-line store and national print catalogs.






Powerbacks∆ Slide Alchemy, has a suggested retail price of $49.95









For evaluation, you can obtain a free, fully functional sampler of 100 backgrounds, under PowerPoint∆ through









http://office.microsoft.com/Downloads/ouvp.aspx









or go directly to









http://free-ppt.com









Blue Worx is a Duns listed company 61-345-8236 located at:




9201 N. 29th Avenue Suite 63-273




Phoenix, Arizona 85051









For further information Creator, Gary Blue, can be contacted by email at blue@powerbacks.com or by phone 970.963.2400

[] permanent link

QuickTime for Windows ActiveX security advisory

Apple Security Advisory APPLE-SA-2002-09-19



A buffer overflow exists in the ActiveX control distributed in Apple

QuickTime for Windows Version 5.0.2. Any user who opens this control in

Microsoft Windows Internet Explorer or other affected Windows mail

clients is vulnerable to attack.



QuickTime versions for Mac OS X or Mac OS 9 are not vulnerable.

Users and web site administrators running the Windows operating system

should upgrade to the new version of the ActiveX control as soon as

possible. This can be done by either downloading a new ActiveX control,

or updating to QuickTime 6 which contains a fixed version of the ActiveX

control.



ActiveX control only: http://www.apple.com/quicktime/download/qtcheck/


This control will work with QuickTime version 3.0 and later.



QuickTime 6 (free update): http://www.apple.com/QuickTime/download/





Common Vulnerabilities and Exposures (CVE) Information:



The Common Vulnerabilities and Exposures (CVE) project has assigned the

following identification to this issue. These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.



CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun





Description



QuickTime for Windows version 5.0.2 is distributed with an ActiveX

control to allow QuickTime movies to be played on versions on Microsoft

Windows Internet Explorer. The ActiveX control for QuickTime for

Windows 5.0.2 has a buffer overflow vulnerability triggered by

insufficient input validation when parsing the "pluginspage" parameter.



This vulnerability can be exploited by a remote attacker who can induce

a victim to visit any web site with malicious code offering the

vulnerable code or executing a control already present on the victim's

computer. Also affected are users who open HTML messages in Windows

mail clients that use Internet Explorer to render HTML and load ActiveX

controls (e.g., Outlook, Outlook Express, Eudora, etc). Note that an

email attack would be rendered harmless if the end user email client

handled HTML mail in Internet Explorer's Restricted Sites Zone (say by

having applied the Outlook Email Security Update distributed by

Microsoft; Outlook Express 6 and Outlook 2002 handle mail in the

Restricted Site Zone by default). Mail clients unable to render HTML or

that do not invoke Internet Explorer are unaffected.



All web content managers who support QuickTime technology and all

Windows users of Microsoft Internet Explorer are encouraged to upgrade

to the new ActiveX control or QuickTime Version 6.0 as soon as possible.





Solution



Either download the new ActiveX control by itself, or update to

QuickTime 6:



ActiveX control only: http://www.apple.com/quicktime/download/qtcheck/


This control will work with QuickTime version 3.0 and later.



QuickTime 6 (free update): http://www.apple.com/QuickTime/download/





Mitigating factors



  • In the case of the web-based attack, an attacker would need to force a

    user to visit the attackers Web site. Users who exercise caution in

    visiting web sites could minimize their risk.



  • In the web based attack, If ActiveX controls have been disabled in the

    zone in which the page were viewed, the vulnerability could not be

    exploited. Users who place untrusted sites in the Restricted Sites zone,

    which disables ActiveX by default, or have disabled ActiveX controls in

    the Internet zone could minimize their risk.



  • In the case of HTML email based attacks, customers who read email in

    the Restricted Sites zone would be protected against attempts to exploit

    this vulnerability. Customers using Outlook 2002 and Outlook Express

    6.0, as well as Outlook 2000 and Outlook 98 customers who have applied

    the Outlook Email Security Update would thus be protected by default.

    Also, Outlook Express 5.0 customers who have chosen to read mail in the

    Restricted Sites zone would be protected by default.



  • In the HTML email based attack, Outlook 2002 customers who have

    enabled the "Read as Plain Text" option available in SP1 or later would

    also be protected.





Further information



Are there any caveats associated with the patch?



Yes. Customers should be aware that although the vulnerabilities here

involve an ActiveX control, the patch does not set the Kill Bit.



Whatis an ActiveX control?



ActiveX controls are small, single-purpose programs that can be called

by programs and web pages. ActiveX allows a programmer to write a piece

of software one time, and make its functionality available to other

programs that may need it.



Whatis the "Kill Bit"?



The Kill Bit is a method by which an ActiveX control can be prevented

from ever being invoked via Internet Explorer, even if its present on

the system. (More information on the Kill Bit is available in Microsoft

Knowledge Base article Q240797). Typically, when a security

vulnerability involves an ActiveX control, the patch delivers a new

control and sets the Kill Bit on the vulnerable control. However, it

isnt feasible to do so in this case.



Why isn't it feasible to set the Kill Bit in this case?



The Kill bit is currently implemented in Windows as an "all or nothing"

switch. Setting the Kill bit will totally disable your ability to use

QuickTime in media which invokes it via the ActiveX control. This

includes millions of web pages, along with many CDs and DVDs. By

design, the Web pages, CDs and DVDs contain hard-coded references to the

ActiveX control to load QuickTime. The QuickTime content on these web

pages, CDs and DVDs would no longer be accessible. As a result, a new

ActiveX control is provided to remove the vulnerabilities, but the Kill

Bit is not set on the old one.



Will the Kill Bit on this control be eventually set?



Yes. Microsoft is developing a new technology that will enable it to set

the Kill Bit on the vulnerable version of the control without forcing

users to re-author web pages containing references to these controls.

When the new technology is available, we'll provide a QuickTime update

that makes use of it.





References




[] permanent link

New Site Features

I've activated a few new features in PHP-Nuke 6.0 to make this site more friendly & useful.

I've added a new menu to make all of the sites features easily available. Registered members can now create their own journal.

[] permanent link